The vulnerability is a path traversal flaw that permits unauthenticated users to obtain directory listings for any arbitrary directory on the server. Attackers can traverse back to parent directories and view the contents of protected folders, potentially exposing sensitive files such as configuration files, backups, or other data that should not be publicly accessible. The impact is a loss of confidentiality and could be leveraged to inform further attacks such as file upload or code injection if additional weaknesses exist.

The affected product is the Printcart Web to Print Product Designer for WooCommerce WordPress plugin. Versions up to and including 2.4.8 contain the vulnerability. No other product versions are known to be affected.

This flaw does not require authentication and has no additional prerequisites, which means an attacker can exploit it from the public internet as soon as the vulnerable plugin is installed. The EPSS score of <1% indicates a low probability of exploitation, and the CVSS score of 5.3 denotes moderate severity. The attack path is straightforward: request a crafted URL that targets the vulnerable upload/preview endpoint with directory traversal characters, and the server will return the requested directory listing. The resulting disclosure can aid attackers in mapping out sensitive filesystem structures, planning credential theft, or identifying other exploitable files.